Part One: Single Sign-On Versus Same Sign-On with Office 365 and Active Directory Domain Services

One question every customer who has Active Directory Domain Services asks during a migration from on-premises server to Office 365 is, “What is the login experience?” The short, consulting answer is: “It depends.” I have attempted to provide the longer answer in the remaining paragraphs of this post; however, to set the context, I’m going to give you a little background on the key variables that can impact the answers.

Microsoft provides cloud-scale identity and access management via a cloud-based directory named Microsoft Azure Active Directory (Azure AD). A small business that subscribes to Office 365 – and doesn’t have an on-premises directory such as Active Directory Domain Services – relies solely on Azure AD.

Active Directory Domain Services (AD DS) is often referred to as simply “Active Directory” because it began and gained popularity in Windows 2000 Server and Windows Server 2003. AD DS is the directory for almost every organization with more than 100 users or Microsoft Windows client computers because it centralizes the management of users, passwords, domain-joined Windows clients, domain-joined Windows Servers, and much more.

Your users who have an AD DS account and are using a domain-joined Windows client have always been able to simply connect to [traditional on-premises] Exchange Server, SharePoint Server, and Lync Server (now Skype for Business) without being prompted for credentials. This is often referred to as single sign-on (SSO) because – unbeknownst to the user – behind the scenes, NTLM authentication requests (old) and Kerberos tickets (new) were flying around to assure those apps that the users were allowed access. Properly configured, SSO “just worked.”

Microsoft developed an application whose specific purpose is synchronizing users and groups already in AD DS to Azure AD. The current version of this application is named Azure Active Directory Synchronization Service (AAD Sync). It has several key capabilities, including the ability to synchronize password “hashes” (unreadable to humans) from AD DS to Azure AD, support for multiple AD DS forests, and writing back a password changed in Azure AD to AD DS with an Azure AD Premium subscription.

We can now begin answering the question: “What is the login experience?” Microsoft once showed the following user experience matrix, so I recreated and have continually modified it as new functionality has come online. While the 10,000-foot answers are outlined in the matrix, I’ll dive deeper in the following paragraphs and explain both the end user’s login experience and a high-level overview of the other products and cloud-services that can participate in authentication.

Office 365 Login User Experience Matrix

In part one of this post, we’re going to cover Office 365 and Azure AD stand-alone, as well as Azure AD with AAD Sync from Column 1 of the Office 365 Login User Experience Matrix.

This setup is the minimum requirement to run Office 365 Online Services. Whether you are a small business with only an Office 365 subscription or a larger organization that relies on AAD Sync to sync AD DS to Azure AD, the users’ experience will be similar. The primary difference is small business users change their password from within the Online apps, whereas users in larger organizations must change their password by pressing Ctrl-Alt-Del. For users in the latter category, Microsoft calls this experience same sign-on, meaning that any time the users are prompted for credentials, they will use their AD DS’ User Principal Name (UPN) and password.

As the matrix indicates, users are required to login to every session, although fortunately password caching prevents the experience from being a showstopper. For all “rich app” scenarios (client-side software like Outlook), as long as the user checks the “save user ID and password” checkbox, the app will automatically login the user and either synchronize email or enable IM/presence/VoIP. Outlook for Windows and the Skype for Business client do this using the Windows client password management technology called Windows Credential Manager (a.k.a., vault). Outlook for Mac uses a similar technology and the mail apps on all smartphones which support Exchange ActiveSync can also remember login IDs and passwords. Microsoft’s Lync/Skype for Business client for Macs and iOS, Android and Windows Phone all have built-in remember password functionality.

Users using a browser to access Office 365 online services such as Outlook Web App or the SharePoint Online portal can utilize their browser’s password cache functionality to pre-fill the web authentication form seen here.

Interested in learning more about single sign-on versus same sign-on? We’ll cover the remaining matrix columns in blog posts two and three later.